Security can't take a backseat in health care, says Bryan Cline at the Children's Hospital of Philadelphia, reports Dan Kaplan.
To Bryan Cline, IT security in health care is playing a game of catch-up with other industries that also view data as their most prized asset.
For years, he's observed other verticals – such as government, financial services and retail – become more tightly regulated thanks to aggressively enforced laws and industry guidelines that threaten significant penalties for noncompliance. Health care, on the other hand, largely has lagged in the adoption of security technologies – even seemingly no-brainer solutions such as firewalls, says Cline, the director of information services and risk management at the Children's Hospital of Philadelphia (CHOP).
“The problem is, health care is behind the times when it comes to security,” he says. “But this shouldn't come as any real surprise. Our focus is on quality health care delivery and improving patient outcomes. It really is all about the kids.”
But when Cline, 49, joined the hospital, he decided security didn't have to suffer for patient treatment to succeed – even if the lax enforcement of the Health Insurance Portability and Accountability Act (HIPAA) wasn't necessarily pushing his department to act. So on arriving at the 430-bed facility, he borrowed from the highly regarded NIST and COBIT frameworks to create a unique model for addressing security, risk and compliance. This enables one of the nation's top pediatric facilities to approach security of its electronic patient health records in the same way a bank might design the protection of its customers' transaction histories.
“When I came in a year ago, the hospital was in traditional reaction mode,” he recalls. “Basically, the hospital offloaded information security to IT. It was a subset. You really had no holistic view of risk across the enterprise.”
As it would turn out, Cline was on to something. Whether the health care industry is ready or not, the traditional mindset of affixing Band-Aids to each security problem is going to have to change, say experts. That is because an unprecedented health IT shot-in-the-arm – complete with more stringent security and privacy provisions – is coming to a medical facility near you.
The Obama administration's economic stimulus bill passed in February earmarks some $19 billion for the adoption of electronic health records (EHR). The bill incentivizes health care organizations, namely smaller physician practices, to go digital by offering them $2 billion grants and $17 billion in Medicaid and Medicare reimbursements. The hope is that the implementation of computerized records will improve the efficiency and effectiveness of care, reduce medical errors and lower costs. In a sign of validation for the initiative, mighty Wal-Mart is getting in on the cash now, announcing in March that it plans to partner with its Sam's Club division to sell, install and maintain EHR systems.
The ultimate goal of the Obama plan is to create an interoperability specification that will enable the seamless exchange of patient health care data among doctor's offices and hospitals across the country. Right now, if records are in a digital format, most sit on disparately formatted systems and are therefore unable to be shared across settings.
Security provisions in place
While some health care organizations, such as CHOP, have been running IT records systems for several years – the board there has funded Cline's department some $200 million over the past four years for its EHR project – most will not be used to having so much technology funding at their fingerprints, warn experts. As a result, these enterprises may overlook security.
Patrick Heim, CISO for Kaiser Permanente, a leading health care provider with 37 hospitals throughout the country, likens the influx of funding to pouring coal into the burner of a steam train. The fuel will make the train go faster, he says, but speed isn't necessarily the most important thing.
“Do we have the appropriate brakes in place?” he asked recently during an IT health care panel at the RSA Conference in San Francisco. “We need to be careful we are part of the design. We don't want to build security on afterward.”
Considering the sophistication of external hackers or the potential blunders and purposeful attacks that can be perpetrated by insiders, now is not the time to be laissez-faire about security, say experts. Especially in an industry that already is reeling from a number of high-profile breaches.
All told, health care was responsible for 20.5 percent of exposed records in 2008, totaling more than seven million, according to the San Diego-based Identity Theft Resource Center. So far in 2009, some 14 percent of compromised records are health care-related. Only the government/military sector has been the victim of more.
In one of the more egregious recent examples, Kaiser Permanente's Bellflower Medical Center in California fired 15 workers after they accessed without permission the medical records of octuplet mother Nadia Suleman. The employees never exceeded their access rights, but did choose to disregard a message that popped up on the facility's EHR system, warning them that if they proceeded and did not have a business justification, they would be punished, Heim says.
They did so anyway. “I think there are a lot of unanswered questions,” he says of computerized patient records.
To combat the possibility of breaches like that one, the part of the stimulus bill addressing EHRs, known as the HITECH Act of 2009, significantly strengthens the protection of identifiable health information by expanding the scope of HIPAA. Namely, the bill prescribes two things: It extends HIPAA regulations to “business associates,” such as billing, transcription or pharmacy benefit companies, and not just so-called covered entities, such as health care providers. Second, it creates what essentially is the first ever federal data breach notification law, by requiring that patients be alerted if their data is illegally accessed. In addition, the law prohibits the sale of patient data, and sets audit trail and encryption guidelines. The U.S. Department of Health and Human Services and the Federal Trade Commission are charged with publishing guidance around what technologies and methodologies organizations should implement to protect health information and how these entities should alert victims in the event of a breach.
In essence, the language of HITECH is designed to move patient data protection mandates into line with the digital age.
“With paper, you can pretty much lock your chart away,” says John Perry, IT director at Visalia Medical Clinic, a 50-physician health facility near Fresno, Calif. “Now with technology and EHR, it's not so much the physical access, but the ability to breach networks. There's also the possibility that a piece of hardware or a notebook will walk away. There's a lot more issues to be covered with the electronic health record.”
Consequences of EHR
When patient records become computerized, the risk of theft, improper access or accidental disclosure rises, say experts.
“Unlike a paper system, a single security incident in an automated information system can result in the loss of confidentiality, integrity or availability of thousands of records,” Cline says. “That is why it's so important that security requirements are identified early in the system development life cycle. This way they can be designed into the system rather than bolted on, which can adversely affect system functionality and usability.”
In a January letter to Congress, the American Civil Liberties Union urged Congress to adopt protections for EHRs. The letter called out numerous scenarios of data compromises, such as a broker buying and selling records, or an employer deciding not to hire a job candidate after improperly learning that the prospective worker would be too expensive to insure.
“Once everything is electronic, it makes it much easier to abuse the system,” says Paul Proctor, vice president, distinguished analyst at Gartner. “Now if someone gets access to something, it's like opening Pandora's box. It's all standardized in a common format that is readable by any application. It makes a very appetizing thing for people to go after.”
Perhaps the most profitable pitfall of EHRs is medical ID theft. FBI Supervisory Special Agent Keith Mularski, who recently helped break up the cybercrime forum known as Dark Market, resulting in some 60 arrests, says he has yet to see a notable surge in medical data being traded in the criminal underground.
“The bad guys want the cash,” he said during a law enforcement panel at the RSA Conference. “They need to be able to make money to justify their actions.”
But a market for patient records is emerging, say some experts. Web security firm Finjan discovered a crime server last year containing 500 megabytes of data, including information belonging to health care providers. Finjan CTO Yuval Ben-Itzhak (left) says this information is growing in value because more commonly traded goods, such as credit card numbers, are becoming a commodity.
“People can use health care information to get false prescriptions and then they can go sell drugs online,” he says. “They can use it for insurance purposes. They can file different forms and get money from insurance companies because they know the exact details of a medical problem.”
Stephen Parente, associate professor at the University of Minnesota, and a health care policy adviser to Sen. John McCain during his presidential campaign, says the makers and users of EHRs must ensure the platforms contain advanced analytics that can detect fraud before it is too late.
“If [an attacker] is clever about it, they can electronically create a family that moves into town,” Parente says. “If there are no handoffs, and things are moving completely electronically, it's easy to almost fabricate a fake world that is moving seamlessly.”
When it comes to protecting health records, much is made about deploying proper access control and data masking technologies – and for good reason. But none of that can stop a social engineering email ruse or an insecure web application that might enable malware to get onto a machine and sniff information, says Finjan's Ben-Itzhak.
“Even if the data was encrypted using SSL and even if the doctor had their own authentication technique, it doesn't matter,” he says. “Once the data appears on the browser on the doctor's PC, the trojan collects it.”
Dave Meizlik (right), director of product marketing at San Diego-based security firm Websense, says health facilities must identify what is confidential, monitor who is using data and how they are doing it, and then implement enforcement and educational controls.
“The burden is to make sure [these facilities] are subscribing to a set of services that are going to protect the confidentiality of that data, and that their staffs are educated on how to use, store and share that information,” he says. “If they're not doing that, they're failing miserably at looking out for their patients.”
IT versus doctors
Of course, security isn't the easiest thing to add on at a hospital, where doctors often need instant access to health records. Many medical centers fear that doctors who aren't satisfied with the usability of their platforms might decide to leave for another facility where they feel more comfortable.
As one hospital security administrator said during the health care RSA panel: “The manager of security versus a doctor?” he asked. “I will lose, always.”
Visalia's Perry says that after HIPAA took effect in the late 1990s, the IT department began forcing doctors to use more stringent passwords, instead of a single password that everyone used to access applications.
“I thought that was it for me,” he recalls. “I thought I was going to be strung up by the nearest tree.” Now, he says, most physicians realize security is a necessary evil.
Companies such as Sentillion make identity management products for hospitals. Sentillion offers a solution that ties IT access into an employee's building access badge. “You have to find a balance between security and productivity,” says CTO David Fusari.
At CHOP, Cline says he finds that if controls are built into EHRs at the beginning – and not changed as a result of some security breakdown – doctors generally accept them.
“We're trying our best to reposition ourselves in IT security and begin addressing these issues earlier in our project management and system development life cycles,” he says. “We're also trying to figure out the best way to get in front of our clinicians and educate them on why we need to protect patient information and our intellectual property. In individual encounters, our clinicians are more willing to accommodate security if we just communicate our concerns.”
Health care: PCI-like guidelines
To help organizations respond to new security provisions outlined in the economic stimulus bill, a set of prescriptive, risk-based best practices for health care providers and their partners has emerged.
In March, the Health Information Trust Alliance (HITRUST) unveiled its Common Security Framework (CSF) with the backing of a number of industry heavyweights. It is being billed as the first ever IT security control framework designed for health care.
The standards were borne out of industry concern that organizations are not properly interpreting existing health care privacy and security regulations and that there exists a lack of guidance around information protection, says HITRUST CEO Dan Nutkis.
It cross-references regulations, such as the HITECH Act, part of the stimulus package; as well as HIPAA and the new Massachusetts data security law; industry guidelines, such as PCI; and global standards, such as ISO, NIST and COBIT.
Creators of the CSF said they hope having supporters, such as Kaiser Permanente, McKesson and the Children's Hospital of Philadelphia (CHOP) will lead to its widespread adoption.
“You're going to see a lot more breaches, and then health care is going to be like everyone else – slow to react,” says Bryan Cline at CHOP. “This is out of control.”
He says eventually he would like to see the framework offer some “safe harbor” protection to an organization that might suffer a breach, but was deemed compliant.
For more information on the HITRUST standards, visit www.hitrustalliance.net/csf.
– Dan Kaplan
EHR resistance: Privacy laws to blameAccording to a March study that appeared in the New England Journal of Medicine, a survey of roughly 3,000 hospitals showed that eight percent have a basic EHR system in place. The news is better, albeit slightly, at doctor's offices, where 17 percent of 2,700 physicians surveyed use basic systems, a 2008 survey concluded.
Ironically, statutes governing patient privacy may be one of the biggest impediments. In February, a joint report from the University of Virginia and the Massachusetts Institute of Technology, titled “Privacy Protection and Technology Diffusion: The Case of Electronic Health Records,” concluded that a patchwork of state regulations reduced adoption by 24 percent.
“Privacy protection inhibits [EHR] diffusion…by raising compliance costs,” Amalia Miller and Catherine Tucker wrote. “Complying with privacy laws increases the costs of electronic record systems and, in particular, the costs of sharing information.”
But, the authors concede that their study did not examine the potential benefit that security requirements could bring.
“There may be spillovers in the form of increased information security from the increased requirements to protect confidentiality,” they wrote, adding, “Future research is also needed to establish whether privacy-protecting systems can be designed that do not add to the variable costs of exchanging patient information.” – Dan Kaplan
EHRs: 5 tips for transitioning
1 Access visibility – Do you know who in the organization has access to patient care systems and data and whether the access is required for their job role?
2 Access change management – Does the organization have controls in place that can make determination on what access is appropriate as a person changes functional roles within the organization?
3 Access risk management – Can the organization proactively spot and remediate access-related risks and mitigate potential risks?
4 Compliance automation – Does the organization have a system of record to automate the process of demonstrating compliance with regulations?
5 Governance – How are IT security groups within health care organizations going to drive responsibility and accountability for governing user access into the business?